Merge branch 'main' into Matvey-Kuk/runbooks-rework

keephq · Nov 24, 2024 · ffb51b7 · ffb51b7
2 parents 132ee65 + ea748d0
commit ffb51b7
Show file tree

Hide file tree

Showing 690 changed files with 34,487 additions and 16,775 deletions.
diff --git a/.github/workflows/test-pr.yml b/.github/workflows/test-pr.yml
@@ -64,7 +64,7 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v3
-    
+
       - uses: chartboost/ruff-action@v1
         with:
           src: "./keep"
@@ -101,6 +101,8 @@ jobs:
           poetry run coverage run --branch -m pytest --ignore=tests/e2e_tests/
 
       - name: Convert coverage results to JSON (for CodeCov support)
+        env:
+          LOG_LEVEL: DEBUG
         run: poetry run coverage json --omit="keep/providers/*"
 
       - name: Upload coverage reports to Codecov

diff --git a/README.md b/README.md
diff --git a/assets/connect_providers.gif b/assets/connect_providers.gif
diff --git a/assets/sneaknew.png b/assets/sneaknew.png
diff --git a/assets/upload_workflow.gif b/assets/upload_workflow.gif
diff --git a/assets/view_alerts.gif b/assets/view_alerts.gif
diff --git a/docker-compose.common.yml b/docker-compose.common.yml
@@ -7,7 +7,8 @@ services:
       - NEXTAUTH_URL=http://localhost:3000
       - NEXT_PUBLIC_API_URL=http://localhost:8080
       - POSTHOG_KEY=phc_muk9qE3TfZsX3SZ9XxX52kCGJBclrjhkP9JxAQcm1PZ
-      - POSTHOG_HOST=https://app.posthog.com
+      - POSTHOG_HOST=https://ingest.keephq.dev
+      - NEXT_PUBLIC_SENTRY_DSN=https://0d4d59e3105ffe8afa27dcb95a222009@o4505515398922240.ingest.us.sentry.io/4508258058764288
       - PUSHER_HOST=localhost
       - PUSHER_PORT=6001
       - PUSHER_APP_KEY=keepappkey

diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
@@ -5,6 +5,7 @@ services:
       service: keep-frontend-common
     environment:
       - API_URL=http://keep-backend-dev:8080
+      - SENTRY_DISABLED=true
     build:
       dockerfile: docker/Dockerfile.dev.ui
     volumes:

diff --git a/docker/Dockerfile.api b/docker/Dockerfile.api
@@ -35,4 +35,7 @@ RUN chgrp -R 0 /app && chmod -R g=u /app
 RUN chown -R keep:keep /app
 RUN chown -R keep:keep /venv
 USER keep
-ENTRYPOINT ["gunicorn", "keep.api.api:get_app", "--bind" , "0.0.0.0:8080" , "--workers", "4" , "-k" , "uvicorn.workers.UvicornWorker", "-c", "/venv/lib/python3.11/site-packages/keep/api/config.py"]
+
+ENTRYPOINT ["/venv/lib/python3.11/site-packages/keep/entrypoint.sh"]
+
+CMD ["gunicorn", "keep.api.api:get_app", "--bind" , "0.0.0.0:8080" , "--workers", "4" , "-k" , "uvicorn.workers.UvicornWorker", "-c", "/venv/lib/python3.11/site-packages/keep/api/config.py"]
diff --git a/docker/Dockerfile.dev.api b/docker/Dockerfile.dev.api
@@ -21,6 +21,8 @@ RUN . /venv/bin/activate && poetry install --no-root
 ENV PYTHONPATH="/app:${PYTHONPATH}"
 ENV PATH="/venv/bin:${PATH}"
 ENV VIRTUAL_ENV="/venv"
+ENV POSTHOG_DISABLED="true"
 
+ENTRYPOINT ["/app/keep/entrypoint.sh"]
 
 CMD ["gunicorn", "keep.api.api:get_app", "--bind" , "0.0.0.0:8080" , "--workers", "1" , "-k" , "uvicorn.workers.UvicornWorker", "-c", "./keep/api/config.py", "--reload"]
diff --git a/docker/Dockerfile.ui b/docker/Dockerfile.ui
@@ -65,10 +65,11 @@ EXPOSE 3000
 
 ENV PORT 3000
 ENV POSTHOG_KEY=phc_muk9qE3TfZsX3SZ9XxX52kCGJBclrjhkP9JxAQcm1PZ
-ENV POSTHOG_HOST=https://app.posthog.com
+ENV POSTHOG_HOST=https://ingest.keephq.dev
 ENV PUSHER_HOST=localhost
 ENV PUSHER_PORT=6001
 ENV PUSHER_APP_KEY=keepappkey
+ENV NEXT_PUBLIC_SENTRY_DSN=https://0d4d59e3105ffe8afa27dcb95a222009@o4505515398922240.ingest.us.sentry.io/4508258058764288
 
 
 ENTRYPOINT ["/app/entrypoint.sh"]
diff --git a/docs/api-ref/alerts/get-alert-quality.mdx b/docs/api-ref/alerts/get-alert-quality.mdx
@@ -0,0 +1,3 @@
+---
+openapi: get /alerts/quality/metrics
+---
diff --git a/docs/api-ref/dashboard/get-metric-widgets.mdx b/docs/api-ref/dashboard/get-metric-widgets.mdx
@@ -0,0 +1,3 @@
+---
+openapi: get /dashboard/metric-widgets
+---
diff --git a/docs/api-ref/incidents/add-comment.mdx b/docs/api-ref/incidents/add-comment.mdx
@@ -0,0 +1,3 @@
+---
+openapi: post /incidents/{incident_id}/comment
+---
diff --git a/docs/api-ref/incidents/commit-with-ai.mdx b/docs/api-ref/incidents/commit-with-ai.mdx
@@ -0,0 +1,3 @@
+---
+openapi: post /incidents/ai/{suggestion_id}/commit
+---
diff --git a/docs/api-ref/incidents/create-incident.mdx b/docs/api-ref/incidents/create-incident.mdx
@@ -0,0 +1,3 @@
+---
+openapi: post /incidents
+---
diff --git a/docs/api-ref/incidents/create-with-ai.mdx b/docs/api-ref/incidents/create-with-ai.mdx
@@ -0,0 +1,3 @@
+---
+openapi: post /incidents/ai/suggest
+---
diff --git a/docs/api-ref/incidents/get-future-incidents-for-an-incident.mdx b/docs/api-ref/incidents/get-future-incidents-for-an-incident.mdx
@@ -0,0 +1,3 @@
+---
+openapi: get /incidents/{incident_id}/future_incidents
+---
diff --git a/docs/api-ref/incidents/get-incident-workflows.mdx b/docs/api-ref/incidents/get-incident-workflows.mdx
@@ -0,0 +1,3 @@
+---
+openapi: get /incidents/{incident_id}/workflows
+---
diff --git a/docs/api-ref/incidents/get-incidents-meta.mdx b/docs/api-ref/incidents/get-incidents-meta.mdx
@@ -0,0 +1,3 @@
+---
+openapi: get /incidents/meta
+---
diff --git a/docs/api-ref/incidents/merge-incidents.mdx b/docs/api-ref/incidents/merge-incidents.mdx
@@ -0,0 +1,3 @@
+---
+openapi: post /incidents/merge
+---
diff --git a/docs/api-ref/incidents/receive-event.mdx b/docs/api-ref/incidents/receive-event.mdx
@@ -0,0 +1,3 @@
+---
+openapi: post /incidents/event/{provider_type}
+---
diff --git a/docs/api-ref/root.mdx b/docs/api-ref/root.mdx
@@ -0,0 +1,3 @@
+---
+openapi: get /
+---
diff --git a/docs/api-ref/workflows/get-workflow-by-id-1.mdx b/docs/api-ref/workflows/get-workflow-by-id-1.mdx
@@ -0,0 +1,3 @@
+---
+openapi: get /workflows/{workflow_id}/runs
+---
diff --git a/docs/deployment/authentication/azuread-auth.mdx b/docs/deployment/authentication/azuread-auth.mdx
@@ -0,0 +1,202 @@
+---
+title: "Azure AD Authentication"
+---
+
+<Tip>
+This feature is a part of Keep Enterprise.
+
+Talk to us to get access: https://www.keephq.dev/meet-keep
+</Tip>
+
+Keep supports enterprise authentication through Azure Active Directory (Azure AD), enabling organizations to use their existing Microsoft identity platform for secure access management.
+
+## When to Use
+
+- **Microsoft Environment:** If your organization uses Microsoft 365 or Azure services, Azure AD integration provides seamless authentication.
+- **Enterprise SSO:** Leverage Azure AD's Single Sign-On capabilities for unified access management.
+
+## Setup Instructions (on Azure AD)
+
+### Creating an Azure AD Application
+
+1. Sign in to the [Azure Portal](https://portal.azure.com)
+2. Navigate to **Microsoft Entra ID** > **App registrations** > **New registration**
+
+<Frame>
+  <img src="/images/azuread_1.png" width="1000" alt="Azure AD App Registration"/>
+</Frame>
+
+3. Configure the application:
+   - Name: "Keep"
+
+<Info>Note that we are using "Register an application to integrate with Microsoft Entra ID (App you're developing)" since you're self-hosting Keep and need direct control over the authentication flow and permissions for your specific instance - unlike the cloud/managed version where Keep's team has already configured a centralized application registration.</Info>
+
+<Frame>
+  <img src="/images/azuread_2.png" width="1000" alt="Azure AD App Registration"/>
+</Frame>
+
+4. Configure the application (continue)
+- Supported account types: "Single tenant"
+
+<Info>
+We recommend using "Single tenant" for enhanced security as it restricts access to users within your organization only. While multi-tenant configuration is possible, it would allow users from any Azure AD directory to access your Keep instance, which could pose security risks unless you have specific cross-organization requirements.
+</Info>
+
+    - Redirect URI: "Web" + your redirect URI
+
+<Info>
+We use "Web" platform instead of "Single Page Application (SPA)" because Keep's backend handles the authentication flow using client credentials/secrets, which is more secure than the implicit flow used in SPAs. This prevents exposure of tokens in the browser and provides stronger security through server-side token validation and refresh token handling.
+</Info>
+
+<Tip>
+For localhost, the redirect would be http://localhost:3000/api/auth/callback/azure-ad
+
+For production, it should be something like http://your_keep_frontend_domain/api/auth/callback/azure-ad
+
+</Tip>
+
+<Frame>
+  <img src="/images/azuread_3.png" width="1000" alt="Azure AD App Registration"/>
+</Frame>
+
+5. Finally, click "register"
+
+### Configure Authentication
+After we created the application, let's configure the authentication.
+
+1. Go to "App Registrations" -> "All applications"
+
+<Frame>
+  <img src="/images/azuread_4.png" width="1000" alt="Azure AD Authentication Configuration"/>
+</Frame>
+
+
+2. Click on your application -> "Add a certificate or secret"
+
+<Frame>
+  <img src="/images/azuread_5.png" width="1000" alt="Azure AD Authentication Configuration"/>
+</Frame>
+
+
+3. Click on "New client secret" and give it a name
+
+<Frame>
+  <img src="/images/azuread_6.png" width="1000" alt="Azure AD Authentication Configuration"/>
+</Frame>
+
+4. Keep the "Value", we will use it soon as `KEEP_AZUREAD_CLIENT_SECRET`
+
+<Frame>
+  <img src="/images/azuread_7.png" width="1000" alt="Azure AD Authentication Configuration"/>
+</Frame>
+
+### Configure Groups
+
+Keep maps Azure AD groups to roles with two default groups:
+1. Admin Group (read + write)
+2. NOC Group (read only)
+
+To create those groups, go to Groups -> All groups and create two groups:
+
+<Frame>
+  <img src="/images/azuread_16.png" width="1000" alt="Azure AD Authentication Configuration"/>
+</Frame>
+
+Keep the Object id of these groups and use it as `KEEP_AZUREAD_ADMIN_GROUP_ID` and `KEEP_AZUREAD_NOC_GROUP_ID`.
+
+### Configure Group Claims
+
+1. Navigate to **Token configuration**
+
+<Frame>
+  <img src="/images/azuread_8.png" width="1000" alt="Azure AD Authentication Configuration"/>
+</Frame>
+
+
+2. Add groups claim:
+   - Select "Security groups" and "Groups assigned to the application"
+   - Choose "Group ID" as the claim value
+
+<Frame>
+  <img src="/images/azuread_9.png" width="1000" alt="Azure AD Authentication Configuration"/>
+</Frame>
+
+
+<Frame>
+  <img src="/images/azuread_10.png" width="1000" alt="Azure AD Authentication Configuration"/>
+</Frame>
+
+### Configure Application Scopes
+
+1. Go to "Expose an API" and click on "Add a scope"
+
+<Frame>
+  <img src="/images/azuread_11.png" width="1000" alt="Azure AD Authentication Configuration"/>
+</Frame>
+
+2. Keep the default Application ID and click "Save and continue"
+
+<Frame>
+  <img src="/images/azuread_12.png" width="1000" alt="Azure AD Authentication Configuration"/>
+</Frame>
+
+3. Add "default" as scope name, also give a display name and description
+
+<Frame>
+  <img src="/images/azuread_13.png" width="1000" alt="Azure AD Authentication Configuration"/>
+</Frame>
+
+3. Finally, click "Add scope"
+
+<Frame>
+  <img src="/images/azuread_14.png" width="1000" alt="Azure AD Authentication Configuration"/>
+</Frame>
+
+## Setup Instructions (on Keep)
+
+After you configured Azure AD you should have the following:
+1. Azure AD Tenant ID
+2. Azure AD Client ID
+
+How to get:
+
+<Frame>
+  <img src="/images/azuread_15.png" width="1000" alt="Azure AD Authentication Configuration"/>
+</Frame>
+
+3. Azure AD Client Secret [See Configure Authentication](#configure-authentication).
+4. Azure AD Group ID's for Admins and NOC (read only) [See Configure Groups](#configure-groups).
+
+
+### Configuration
+
+#### Frontend
+
+| Environment Variable | Description | Required | Default Value |
+|--------------------|-------------|:---------:|:-------------:|
+| AUTH_TYPE | Set to 'AZUREAD' for Azure AD authentication | Yes | - |
+| KEEP_AZUREAD_CLIENT_ID | Your Azure AD application (client) ID | Yes | - |
+| KEEP_AZUREAD_CLIENT_SECRET | Your client secret | Yes | - |
+| KEEP_AZUREAD_TENANT_ID | Your Azure AD tenant ID | Yes | - |
+| NEXTAUTH_URL | Your Keep application URL | Yes | - |
+| NEXTAUTH_SECRET | Random string for NextAuth.js | Yes | - |
+
+#### Backend
+
+| Environment Variable | Description | Required | Default Value |
+|--------------------|-------------|:---------:|:-------------:|
+| AUTH_TYPE | Set to 'AZUREAD' for Azure AD authentication | Yes | - |
+| KEEP_AZUREAD_TENANT_ID | Your Azure AD tenant ID | Yes | - |
+| KEEP_AZUREAD_CLIENT_ID | Your Azure AD application (client) ID | Yes | - |
+| KEEP_AZUREAD_ADMIN_GROUP_ID | The group ID of Keep Admins (read write) | Yes | - |
+| KEEP_AZUREAD_NOC_GROUP_ID | The group ID of Keep NOC (read only) | Yes | - |
+
+## Features and Limitations
+
+#### Supported Features
+- Single Sign-On (SSO)
+- Role-based access control through Azure AD groups
+- Multi-factor authentication (when configured in Azure AD)
+
+#### Limitations
+See [Overview](/deployment/authentication/overview)
diff --git a/docs/deployment/authentication/overview.mdx b/docs/deployment/authentication/overview.mdx
@@ -13,6 +13,7 @@ Keep supports various authentication providers and architectures to accommodate
 - [**DB**](/deployment/authentication/db-auth) - Simple username/password authentication. Works well for small teams or for dev/stage environments. Users and hashed password are stored on DB.
 - [**Auth0**](/deployment/authentication/auth0-auth) - Utilize Auth0 for scalable, auth0-based authentication.
 - [**Keycloak**](/deployment/authentication/keycloak-auth) - Utilize Keycloak for enterprise authentication methods such as SSO/SAML/OIDC, advanced RBAC with custom roles, resource-level permissions, and integration with user directories (LDAP).
+- [**AzureAD**](/deployment/authentication/azuread-auth) - Utilize Azure AD for SSO/SAML/OIDC nterprise authentication.
 
 Choosing the right authentication strategy depends on your specific use case, security requirements, and deployment environment. You can read more about each authentication provider.
 
@@ -27,6 +28,7 @@ Choosing the right authentication strategy depends on your specific use case, se
 | **Auth0**             |  ✅ <br />(Predefiend roles)  |     ✅     |  🚧  |             🚧            |        ✅        |         🚧        |    ❌    |   **EE**   |
 | **Keycloak**          |  ✅ <br />(Custom roles)  |     ✅     |  ✅   |             ✅            |        ✅        |         ✅         |    ✅    |   **EE**    |
 | **Oauth2Proxy**       |  ✅ <br />(Predefiend roles)  |     ✅     |  ❌   |             ❌            |        N/A        |         N/A         |    ✅    |   **OSS**   |
+| **Azure AD**       |  ✅ <br />(Predefiend roles)  |     ✅     |  ❌   |             ❌            |        By Azure AD        |         By Azure AD         |    ✅    |   **EE**   |
 ### How To Configure
 <Tip>
 Some authentication providers require additional environment variables. These will be covered in detail on the specific authentication provider pages.
@@ -41,5 +43,6 @@ The authentication scheme on Keep is controlled with environment variables both
 | **Auth0**                           |  `AUTH_TYPE=AUTH0`  | `AUTH0_DOMAIN`, `AUTH0_CLIENT_ID`, `AUTH0_CLIENT_SECRET` |
 | **Keycloak** | `AUTH_TYPE=KEYCLOAK` | `KEYCLOAK_URL`, `KEYCLOAK_REALM`, `KEYCLOAK_CLIENT_ID`, `KEYCLOAK_CLIENT_SECRET` |
 | **Oauth2Proxy** | `AUTH_TYPE=OAUTH2PROXY` | `OAUTH2_PROXY_USER_HEADER`, `OAUTH2_PROXY_ROLE_HEADER`, `OAUTH2_PROXY_AUTO_CREATE_USER` |
+| **AzureAD** | `AUTH_TYPE=AZUREAD` | See [AzureAD Configuration](/deployment/authentication/azuread-auth) |
 
 For more details on each authentication strategy, including setup instructions and implications, refer to the respective sections.
diff --git a/docs/deployment/configuration.mdx b/docs/deployment/configuration.mdx
@@ -25,6 +25,7 @@ General configuration variables control the core behavior of the Keep server. Th
 | **KEEP_API_URL** | Specifies the Keep API URL | No | Constructed from HOST and PORT | Valid URL |
 | **KEEP_STORE_RAW_ALERTS** | Enables storing of raw alerts | No | "false" | "true" or "false" |
 | **TENANT_CONFIGURATION_RELOAD_TIME** | Time in minutes to reload tenant configurations | No | 5 | Positive integer |
+| **KEEP_LIVE_DEMO_MODE** | Keep will simulate incoming alerts and other activity | No | "false" | "true" or "false" |
 
 ### Logging and Environment
 <Info>
@@ -145,8 +146,16 @@ Posthog configuration controls Keep's integration with the Posthog analytics pla
 | Env var | Purpose | Required | Default Value | Valid options |
 |:-------------------:|:-------:|:----------:|:-------------:|:-------------:|
 | **POSTHOG_API_KEY** | API key for PostHog analytics | No | "phc_muk9qE3TfZsX3SZ9XxX52kCGJBclrjhkP9JxAQcm1PZ" | Valid PostHog API key |
-| **ENABLE_POSTHOG_API** | Enables or disables PostHog API | No | "false" | "true" or "false" |
-| **DISABLE_POSTHOG** | Disables PostHog integration | No | "false" | "true" or "false" |
+| **POSTHOG_DISABLED** | Disables PostHog integration | No | "false" | "true" or "false" |
+
+### Sentry
+<Info>
+Sentry configuration controls Keep's integration with Sentry for error monitoring and reporting. These settings are important for maintaining the stability and reliability of your Keep instance.
+</Info>
+
+| Env var | Purpose | Required | Default Value | Valid options |
+|:-------------------:|:-------:|:----------:|:-------------:|:-------------:|
+| **SENTRY_DISABLED** | Disables Sentry integration | No | "false" | "true" or "false" |
 
 ### Ngrok
 <Info>